我想使用Evolveum Midpoint将用户添加到现有ldap组中。 我有一个变态
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="8dc821c4-b7ef-4092-a1b3-1a6ff437b0ed" version="11">
<name>Metarole for groups</name>
<inducement id="5">
<construction>
<resourceRef oid="8a83b1a4-be18-11e6-ae84-7301fdab1d7c" relation="org:default" type="c:ResourceType">
<!-- OpenLDAP TEST -->
</resourceRef>
<kind>entitlement</kind>
<intent>Group</intent>
</construction>
</inducement>
<inducement id="6">
<construction>
<resourceRef oid="8a83b1a4-be18-11e6-ae84-7301fdab1d7c" relation="org:default" type="c:ResourceType">
<!-- OpenLDAP TEST -->
</resourceRef>
<kind>account</kind>
<intent>default</intent>
<association id="7">
<c:ref>ri:group</c:ref>
<outbound>
<expression>
<associationFromLink xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
<projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
<kind>entitlement</kind>
<intent>Group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
</inducement>
</role>
资源配置中的关联:
<association id="15">
<c:ref>ri:group</c:ref>
<displayName>LDAP Group Membership</displayName>
<kind>entitlement</kind>
<intent>Group</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<shortcutvalueAttribute>ri:dn</shortcutvalueAttribute>
</association>
以及相应的对象类型:
<objectType id="16">
<kind>entitlement</kind>
<intent>Group</intent>
<default>true</default>
<objectClass>ri:groupOfNames</objectClass>
<baseContext>
<objectClass>ri:organizationalUnit</objectClass>
<filter>
<q:equal>
<q:path>attributes/dn</q:path>
<q:value>ou=groups,dc=test1,dc=test2,dc=test3,dc=test4</q:value>
</q:equal>
</filter>
</baseContext>
<attribute id="21">
<c:ref>ri:member</c:ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:distinguishedName</matchingRule>
<outbound>
<strength>strong</strength>
<expression>
<value>cn=dummy,o=whatever</value>
</expression>
</outbound>
</attribute>
<attribute id="22">
<c:ref>ri:cn</c:ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<c:path>$focus/identifier</c:path>
</source>
</outbound>
</attribute>
<attribute id="23">
<c:ref>ri:description</c:ref>
<outbound>
<source>
<c:path>description</c:path>
</source>
</outbound>
</attribute>
<attribute id="20">
<c:ref>ri:dn</c:ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:distinguishedName</matchingRule>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<source>
<c:path>$focus/identifier</c:path>
</source>
<expression>
<script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:ScriptExpressionEvaluatorType">
<code>
import javax.naming.ldap.Rdn
import javax.naming.ldap.LdapName
dn = new LdapName('ou=groups,dc=test4')
dn.add(new Rdn('cn',identifier.toString()))
return dn.toString()
</code>
</script>
</expression>
</outbound>
</attribute>
<activation>
<administrativeStatus>
<outbound id="9">
<strength>weak</strength>
<expression>
<c:path xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="t:ItemPathType">$focusExists</c:path>
</expression>
</outbound>
</administrativeStatus>
</activation>
</objectType>
该角色已分配给自定义角色,而该自定义角色已分配给用户。不幸的是,仅当LDAP中不存在组时,该方法才有效。当它确实存在时,我得到了错误:
com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException:错误处理帐户(无ID,类型为“ Group”,资源:8a83b1a4-be18-11e6-ae84-7301fdab1d7c(OpenLDAP TEST)):违反约束:发现具有属性{... / resource / instance-3} dn的冲突现有对象dn = [cn = pre-test3,ou = groups,dc = test1,dc = test2,dc = test3,dc = test4]:shadow:f14ebe2c -61f6-4069-8ca2-1b41324fed3b(cn = pre-test3,ou = groups,dc = test1,dc = test2,dc = test3,dc = test4)
这可能是什么问题?